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1. Introduction 

Each year the National Institute of Standards 
and Technology and the National Compute 
Security Centef(NCSC) cosponsor the Naticmri 
Computer Security Conference. The .conference 
provides a forum for technology <" ter <* an f 
among system developers and a place wn 
compute/users can exchange ideas and learn evv 
ways to apply current computer and mforrna. on 
security technology. This major event on the 
computer security conference calendar proves 
excellent opportunity for attendees tc , he* t 
leaders in the field report on their research an 
share experiences. A large, d verse naW^and 
international audience attends the conference^ 
™.p«t W ne^20M^^fS. t 
ment, industry, and academe. One .^ 

important aspects of the conferenc ^.s t 
many activities provide an opport un * f ° s £ ctives 
poraries to network and gam new per v 



through the sharing of information and experi- 
ences. 

2. Conference Program Highlights 

In addition to a track on criteria and evaluation, 
there were also tracks on research and develop- 
ment, integration and applications, and manage- 
ment and administration. Each track provided 
11 sessions, each of 1 1/2 hours, of peer-revicwcd 
papers or panel sessions. The opening and closing 
plenary sessions presented subjects and issues of 
fnterest and importance to the community. An 
d ed highlight of the conference was a tutorial 
'rack for newcomers to the computer security field. 

2.1 Criteria and Evaluation Track 

A full track devoted to federal criteria cvalua- 
tion and international harmonization efforts »as 

Collaborative ef f° rt _^ |o N J^ Ic l n ncw criteria for 
Security Agency (NSA) to d ^ . - a wi „ 

trus ,cd systems were prcscn d Tl c 
be uS ed to evaluate the ^WW™ P 
confidentiality of data and , o d o h > 

,™ic The evo utionary ettorts m un. 
contro s. The evo , ^ f(XUSC(J 

sion of European comni i . 

°" P r0dUCi t n s 8 for S -d developing,^, 
requirements for ° C ^J - mcrnauma] use. The 
technology for «de p read n ^ ^ ^ 

work performed by lh Un'> ^^ 

t0 develop a common ba is or P 
wi „ serve to reduce cos ,s .o use r ^^ 

Thr0 ugh tutorials, P^ ™ - relationships 

Z ^long-term significance. 
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2.2 Research and Development Track 

Papers and panels in this track typically address 
technical R&D efforts related to security models. 
As in the past, a major interest in this track was the 
various aspects of the subject of access control, i.e., 
the rules, policies, and mechanisms that address 
which persons or which computer processes have 
access to a computer's data and resources, and 
under what circumstances. Access control-related 
papers covered: nonrepudiation in open teleco- 
operation; a mandatory denial of service model; 
issues and research directions in applying discre- 
tionary access control in object-oriented databases; 
new perspective on access control policies; regulat- 
ing processing sequences through object state to 
achieve access control; and a proposed model and 
related security policy for a mechanism used to 
provide access to Internet protocol networks. 

Two other papers addressed referential integrity 
and query acceleration in multilevel secure data- 
base systems. Still another presented an improved 
method of checking for "bad passwords" (See 
Sec. 4). 

To share the learnings of other forums, Hilary 
Hosmer, Data Security, Inc., chaired Best of New 
Security Paradigms II Workshop Panel. This panel 
examined: the relationship of responsibility model- 
ing and security requirements, a paradigm for 
flexible and adaptable access control in distributed 
applications, and identification and authentication 
when users have multiple accounts. The Enterprise 
Security Solutions Panel, chaired by Paul Lambert 
Motorola, looked at security from an "enterprise'' 
perspective, covering such areas as business issues 
and information security, securing the world's 
largest private internet, security with token-based 
access controls, and secure distributed computing 
for heterogeneous operating system environments. 
Three other panels presented research or concepts 
concerned with trusted applications. These in- 
cluded Strategies for Integrating Evaluated Products 
chaired by Dr. James G. Williams, The Mitre 

, P /mccf "i lnf0nnatim System Security Initia- 
tive (MISSI), chaired by Gary Secrest, NSA and 
Trusted Applications, chaired by Janet Cugini, 

23 Integration and Applications Track 

This track focuses on how security technology is 
being applied and how security products are being 
evaluated and integrated into secure systems One 
of the themes in this track was that of certification 
and accreditation (C&A), i.e., the evaluation of the 



technical and nontechnical security controls to: 
determine whether a specified set of security 
requirements are met; and support an official 
authorization by an appropriate management 
approving authority to place a system employing a 
prescribed set of safeguards into operational use. 
Papers in this area covered such subjects as C&A 
in a military communications network and in an 
Army multilevel secure (MLS) management infor- 
mation systems environment. Two other papers 
presented an approach and comprehensive 
methodology to C&A. Also, a panel in this track 
presented an update on INFOSEC design and 
certification initiatives at NSA. 

In addition to the papers and panel described, 
another focus area in this track was network secu- 
rity. Panels in this area included Network Security 
Management -The Harder Problem, chaired by 
Ronda Henning, Harris Corporation, and Applica- 
tion of INFOSEC Products on Wide-Area-Networks, 
chaired by Joyce Capell, Lockheed Missiles & 
Space Company, Inc. 

Still another set of papers explored the subjects 
of access control policy needs among federal and 
private sector organizations and the administration 
of access rights in a multi-vendor system. The use 
of commercial-off-the-shelf products for automa- 
ted information systems (AIS) security, choosing a 
standard for security protocols, and performing 
product and system evaluations were also featured 
in this track, as were such topics as distributed 
auditing, an approach to risk assessment, designing 
secure MLS database systems, system testing, and 
integration of trusted products. 

A panel presenting a Debate of Critical Player 
Perspectives on MLS System Solution Acquisition 
Topics, chaired by Joel E. Sachs, Area Systems, 
Inc., and one on Security Issues for the Securities 
Industry, chaired by Sally Meglathery, New York 
Stock Exchange provided the benefit of practical 
experience to track attendees. 

2.4 Management and Administration Track 

This track presented a variety of papers and 
panel discussions on issues of concern in the 
management and administration of automated 
information systems and the security function. 

A particularly interesting and thought-provoking 
paper in this track explored the applicability of so- 
cial psychology to information security (See Sec. 4). 

Two other panels -On a Better Understanding of 
Risk Management Techniques, chaired by Stuart 
W. Katzke, NIST; and "How Much Security is 
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Enough?" The Accreditor's Perspective, chaired by 
James P. Litchko, Trusted Information Systems, 
Inc. presented management considerations regard- 
ing risk management and accreditation. A related 
paper, Trusted Systems: Applying the Theory in a 
Commercial Firm , by Ernest C. Charles, Donna A. 
Diodati, and Walter J. Mozdzierz, Aetna Life & 
Casualty, showed an application of trusted systems 
in a commercial environment. 

A particularly lively panel in this track, Protection 
of Intellectual Property, chaired by Gerald S. Lang, 
Harrison Ave. Corp., explored the technical, 
privacy, ethical, legal, political, and piracy issues 
involved in defining and protecting intellectual 
property. Another set of panels looked at planning 
for and responding to emergency situations. Terror 
at the World Trade Center, chaired by Sally 
Meglathery, New York Stock Exchange, discussed 
the security issues raised by the World Trade 
Center bombing. Contingency Planning in the 90s, 
chaired by Irene Gilbert, NIST, examined new 
technologies and innovative approaches to the sub- 
ject from an organizational, service provider, and 
user perspective -with emphasis on the planning 
process and need to focus senior management 
attention. 

Still another series of panels examined a related 
set of subjects. These included: The Privacy Impact 
of Technology in the 90s, chaired by Wayne 
Madsen, Computer Sciences Corporation; Elec- 
tronic Crime Prevention, chaired by Robert Lau, 
National Security Agency; Virus Attacks and 
Counterattacks: Real-World Experiences, chaired by 
James P. Litchko, Trusted Information Systems, 
Inc.; and Security and Auditability of Electronic Vote 
Tabulation Systems, chaired by Rebecca Mercuri, 
University of Pennsylvania. 

Security Awareness, Training, and Professionahza- 
tion: Status Report, chaired by Denn.s Gilbert, 
NIST presented a report by representat.ves oi Key 
organizations with a stake in promot.ng security 
training and professional development in tne 
Federal government and the private sector, m 
related paper that addressed how to raise aware- 
ness about security issues was How to Market rtte 
Information Systems Security Program, by ua 
Eakin, CISSP, Naval ^J*"™*^ 

Another interesting panel, The ULLt f , , , 
for the Security of Information Systems: A Look to 
Future, chaired by Christine Axsm- jh Esq. 
ManTech Strategic Associates, Ltd., repo ^ 



maniecn strategic n^^-^ — . . Cnov . 

the efforts of the Organization for ^ nom £^ 
eration and Development to es.ab lish - ^m™ 
international framework for computer securi y 



The goal of the guidelines is to develop a common 
set of principals from which many nations can 
begin to develop their computer security awareness 
and practices. It is expected that the guidelines will 
foster the proliferation of international trade. 

2.5 Tutorials and Presentations Track 

A feature of each conference is a tutorial track. 
It provides those new to the field, those new to a 
particular subject, and those who are experienced 
practitioners wanting a "refresh," an opportunity 
to get a basic review of a given security subject. 
This year's conference provided a tutorial scries on 
trusted systems, which covered a threats and secu- 
rity overview, trusted systems concepts, trusted 
networks, trusted database systems, and trusted 
integration. The tutorial portion of the track also 
included a session on viruses. In addition, the track 
offered a panel session on Getting Your Work Pub- 
lished, chaired hy Jack Hollcran, National Security 
Agency, and another on Information Systems Secu- 
rity Standards, The DISA Process, chaired by Hill 
Smith, CISSP, DISA. The former presented 
insights and "tips" hy successful authors of secu- 
rity-related publications. The latter described the 
role of the Defense Information Systems Agency in 
the DoD INFOSEC standardization process A 
final panel in this track, Security Requirements for 
Cryptographic Modules, chaired hy Lisa Carnahan, 
NIST, gave information on the applicable NIST 
standards and validation program. 

2.6 Closing Plenary 

Of particular interest was the closing plenary 
seSon in which Thomas R. Malarkcy. Department 
o De?e se, presented a paper entitled Seven Strate- 
Jesfor hfonnanon Technology Protects in the 
8 990s which attempted to lay out several us clul 
traces for improving the U.S. posture in in or- 
SSUoli CT) security ^-section 

success and failures or ii j 

second section ^^J^Jci over the 
infrastructure^, nee * ^^ „«,, 

next decade, ine "" r nt pnd industry. 

sugges ,ed d£c.Kms ^ or gmer -". ^ ^ 

These included) ^.J a nationn , pdicv on 

,i0nPO, '^proect reqlirements; 3) urnhmp 
min .mum IT pm ecu M commun ities into 

the curren,SCC 2 nlU ni«> "4, improved empha* 
one protection ommun «t> J » . „„„. 

-r -r mSS in-dep* evaluation 
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for product quality control; 6) improving account- 
ability features of IT products; and 7) increasing 
our investment in security interoperability. The 
presentation of the paper was followed by a lively 
discussion by the previous recipients of the confer- 
ence award for outstanding contributions to the 
field. (See Sec. 3). Chairing the session was award 
recipient, Stephen Walker, and fellow recipients, 
James P. Anderson, Dr. Roger Schell, and Dr. 
Willis Ware. 

3. Outstanding Contributions to the Field 

Each year the conference presents an award to 
an individual who has made significant contribu- 
tions to the computer security community over a 
period of years. This year's recipient was Mr. 
Robert C. Courtney, of RCI, Inc. He was IBM's 
first Director of Data Security, Privacy, and 
Integrity. At IBM he launched a number of far- 
reaching research and development programs. 
Since 1981 he has been an independent security 
consultant and has testified frequently before 
Congress on data security-related matters. 

4. Outstanding Papers 

Also presented this year were two outstanding 
paper awards. One went to Michel E. Kabay, 
Ph.D., of the National Computer Security Associa- 
tion for his paper "Social Psychology and 
INFOSEC: Psycho-Social Factors in the Imple- 
mentation of Information Security Policy." Signifi- 
cantly, the paper extends to computer security the 
learnings of another discipline-that of social 
psychology. By tapping into advice from the 
so-called "soft sciences," the paper argues that 
improving security depends on changing beliefs 
attitudes, and behaviors of individuals and organi- 
zations. It shows how social psychology can help us 
to best work with human predilections and predis- 
positions to achieve computer security goals The 
other outstanding paper award went to Chris 
Dav.es and Ravi Ganesan of Bell Atlantic for their 
submission "BApasswd: A New Proactive Password 
Checker. This paper describes a process that can 
help people choose passwords that are less likely to 
be vulnerable to dictionary attack. Some people 
point to poorly chosen passwords as the single 
largest cause of security incidents. Of significance 
is that the authors present an approach that 
minimizes storage and time to examine chosen 
passwords. 



5. Awards Ceremony 

This year, as in past years, the conference held a 
joint awards ceremony in which NIST and NCSC 
honored the vendors who had successfully devel- 
oped products meeting the standards of their 
respective organizations. In the case of NIST, its 
Computer Security Division provides validation 
services for vendors to use in testing devices for 
conformance to security standards defined in three 
Federal Information Processing Standards (FIPS): 
Data Encryption Standard (DES), Computer Data 
Authentication, and Key Management Using ANSI 
X9.17. In the case of NCSC, vendors are recog- 
nized who contribute to the availability of trusted 
products and who thereby expand the range of 
solutions customers can use to secure their data. 
The products are placed on the Evaluated Products 
List (EPL) following a successful evaluation 
against the Trusted Computer Systems Evaluation 
Criteria and its interpretations. (For further infor- 
mation, contact 301-975-2920 regarding the NIST 
awards and 410-859-4371 regarding the NCSC 
awards.) 

6. Other Activities of Interest 

In addition to the main track sessions, a number 
of other activities were available to the conference 
attendees including: 

• Booths featuring NIST publications and NSA 
information security (INFOSEC) awareness 
activities. The NIST booth highlighted the NIST 
Computer Systems Laboratory Bulletins, 4 to 
12 page documents, each of which covers a secu- 
rity topic in depth. The NSA booth highlighted 
NSA technical security guidelines, known as the 
Rainbow Series, named for the variety of its 
brightly colored document covers. 

• A book exhibit representing a selection of lead- 
ing publishing firms and the latest selections in 
published books on computer security. 

• Demonstrations of the NIST Computer Security 
Bulletin Board and NSA's Dockmaster provide 
a wide variety of computer security information 
to federal agencies and to the public. Infor- 
mation posted on the NIST BBS includes an 
events calendar, software, reviews, publications, 
bibliographies, list of organizations, and other 
government bulletin board numbers. Also fea- 
tured is a set of advisories providing up-to-date 
information on computer security incidents and 
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how to respond to them. Dockmaster is the 
focal point for nationwide dissemination and 
exchange of INFOSEC data through electronic 
mail and BBSs. Over 2000 users from federal 
government organizations, private companies, 
and academic institutions participate in its 
forums and retrieve data on INFOSEC prod- 
ucts, conferences, and training. 

• An overview of Air Force systems security initia- 
tives and the status of the initiatives covering 
incident response, online surveys, and trends in 
tool development, with emphasis on tools to 
enhance security on systems and in organiza- 
tions. Also, demonstrations of tools on intrusion 
detection, risk management, and training. 

• "Networking" rooms for informal and "spur of 
the moment" discussions away from the 
crowded hallways. 

• An evening reception following the vendor 
awards ceremony and a banquet, at which a 
distinguished member of the community pro- 
vided a light-hearted, but thoughtful view of the 
profession in an after dinner talk. This year s 
speaker was Cheryl Helsing of Sun Microsys- 
tems, who has had considerable experience in 
many aspects of information systems security. 

7. Future Conferences 

It is expected that the next several National 
Computer Security Conferences will be held in the 
fall of each year in Baltimore, Maryland. 

8. To Obtain the Conference Proceedings 

Single copies of the 542-page NCSC1 6 con- 
ference proceedings are available upon request. 
Please contact NIST CSL Publications at 301 
975-2821. 
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